From 651153216b7109db45000f2e2ac53709e5572dda Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Thu, 30 Jul 2009 16:34:56 +0100 Subject: [PATCH] Disable IPv6 on virtual networks If the bridge device is configured to have IPv6 address and accept router advertisments, then a malicious guest can send out bogus advertisments and hijack/DOS host IPv6 connectivity * src/network_driver.c: Set accept_ra=0, disable_ipv6=1, autoconf=0 for IPv6 sysctl on virual network bridge devices --- src/network_driver.c | 52 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/src/network_driver.c b/src/network_driver.c index 1683631dda..eaea454143 100644 --- a/src/network_driver.c +++ b/src/network_driver.c @@ -788,6 +788,55 @@ networkEnableIpForwarding(void) return virFileWriteStr("/proc/sys/net/ipv4/ip_forward", "1\n"); } +#define SYSCTL_PATH "/proc/sys" + +static int networkDisableIPV6(virConnectPtr conn, + virNetworkObjPtr network) +{ + char *field = NULL; + int ret = -1; + + if (virAsprintf(&field, SYSCTL_PATH "/net/ipv6/conf/%s/disable_ipv6", network->def->bridge) < 0) { + virReportOOMError(conn); + goto cleanup; + } + + if (virFileWriteStr(field, "1") < 0) { + virReportSystemError(conn, errno, + _("cannot enable %s"), field); + goto cleanup; + } + VIR_FREE(field); + + if (virAsprintf(&field, SYSCTL_PATH "/net/ipv6/conf/%s/accept_ra", network->def->bridge) < 0) { + virReportOOMError(conn); + goto cleanup; + } + + if (virFileWriteStr(field, "0") < 0) { + virReportSystemError(conn, errno, + _("cannot disable %s"), field); + goto cleanup; + } + VIR_FREE(field); + + if (virAsprintf(&field, SYSCTL_PATH "/net/ipv6/conf/%s/autoconf", network->def->bridge) < 0) { + virReportOOMError(conn); + goto cleanup; + } + + if (virFileWriteStr(field, "1") < 0) { + virReportSystemError(conn, errno, + _("cannot enable %s"), field); + goto cleanup; + } + + ret = 0; +cleanup: + VIR_FREE(field); + return ret; +} + static int networkStartNetworkDaemon(virConnectPtr conn, struct network_driver *driver, virNetworkObjPtr network) { @@ -806,6 +855,9 @@ static int networkStartNetworkDaemon(virConnectPtr conn, return -1; } + if (networkDisableIPV6(conn, network) < 0) + goto err_delbr; + if (brSetForwardDelay(driver->brctl, network->def->bridge, network->def->delay) < 0) goto err_delbr;